LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   simple iptable question (https://www.linuxquestions.org/questions/linux-networking-3/simple-iptable-question-383079/)

ALInux 11-14-2005 12:47 PM
simple iptable question
 
Ive been studyin IPtables for a day or two I just have one question:

If I wana set up a firewall and SNAT (masquerading):

I enter all the firewall rules at first
After that I append the nating rules coz they must be at the end right ??

Now suppose I want to change my firewall rules ......I enter the new or changed rules and then what ???

Do I have to re-enter the natting info so that it is appended at the end...
or is it normall to re-enter firewall rules after the natting rules ( although that does not sound correct )

SirGertrude 11-15-2005 06:55 PM
The only time you need to be concerned with the placement of rules is when you are dealing with rules in the same chain.

There are three tables in netfilter by default:

- Mangle
- NAT
- Filter

Any packet that arrives at your interface will always follow the above path from top to bottom.

Inside each table there are several default chains:

- Mangle
------- Prerouting (Add marks, TOS, etc before routing process occurs)
------- Output (Add marks, TOS, etc to packets originating locally)
- NAT
------- Prerouting (Affects packets before routing process)
------- Output (Affects packets originating locally)
------- Postrouting (Affects packets after routing process)
- Filter
------- Input (Affects packets coming in on an interface)
------- Output (Affects packets going out on an interface they were received on)
- Forward (Affects packets going in one interface and out another - between networks)


Rules in each chain should be placed in order of expected use. The reason for this is that once a packet matches a rule the action is preformed and the packet does consume anymore system resources. If you run a webserver you probably want the first rule in your input chain to be "iptables -A INPUT -p tcp --dport 80 -j ACCEPT".

You can view your rules and their positions using the command: "iptables -vnL --line-numbers". By default this shows the filter table. Use "-t" to show a different table. "iptables -vnL --line-numbers -t nat" will show all rules in the nat table including their position in their chains.

To answer your question... SNAT is preformed in the postrouting chain of the nat table, and since you will probably only have one rule for this you don't really need to worry about other changes effecting your SNAT rule. Just make sure that you are accepting traffic on the LAN interface (INPUT chain) and you employ a stateful firewall. There are always exceptions to this, but I don’t think you are creating anything phenomenal here.

Hope this helps.

ALInux 11-16-2005 05:08 AM
Thanks for the effort, I appreciate all the information you provided.
But I occasionally misinterpret information, so lets just make sure that I understood it right:

It does not matter in which order I enter the rules for seperate chains, so I might configure the NAT chain and after that the FILTER chain, aslong as I enter all commands correctly. The only thing that I have to worry about is that I enter the rules into each seperate chain correctly.

????


All times are GMT -5. The time now is 08:19 PM.